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DETAILED ACTION 
Response to Amendment 

1. This action is in response to the RCE/amendment filed 09/14/07. 
Claims 1, 9-10, 12-14, 18-22, 24-28 and 33-34 have been amended; claims 
5-6, 15-17, 23 and 29 have been cancelled. 

Response to Arguments 

2. Applicant's arguments, see the first paragraph of page 9, with respect 
to the rejection(s) of claims 33-34 under 35 USC 112, 1 st paragraph, as 
failing to comply with the written description requirement, have been fully 
considered but they are not persuasive. Claim 33 recites the limitation "the 
registered dynamic access check callback function is invoked such that the 
client context is augmented with client contextual data dynamically 
computed using said dynamic data." However, the part of the specification 
cited by the Applicant discloses that it is the registered Compute Dynamic 
Group callback function that performs client context augmentation (last 
sentence of page 11). 

3. Applicant's arguments with respect to the rejection(s) of claims 1-10 
and 12-29 under 35 USC 102(e) as being anticipated by Swift (6,308,274) 
have been fully considered but they are not persuasive. 
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Applicant argues that Swift does not disclose dynamic data includes 
authorization policy data stored in a callback access control entry and/or 
run-time data managed by the application. Swift discloses utilizing a 
restricted SID (fig. 9; col. 12, line 60 - col. 13, line 15). This restricted SID 
is: (i) dynamic data, i.e., it is part of the restricted token, which is 
dynamically generated; and (ii) run-time data managed by the application, 
i.e., the restricted token is run-time data managed by the game application. 

Applicant argues that Swift does not disclose a dynamic policy is 
tailored to an application through which the resource is accessed (page 10, 
1st paragraph). Swift discloses utilizing a dynamic policy tailored to an 
application through which the resource is accessed, i.e., an access control 
entry indicating whether a game application is allowed to access a resource 
(fig. 9; col. 12, line 60 - col. 13, line 15). 

Applicant argues that Swift does not disclose automatically invoke an 
application-defined dynamic access check routine based on such dynamic 
data and policy (page 10, last paragraph). Swift discloses that when access 
to a resource is granted based on a normal SID (a user SID or group SID), 
an application-defined dynamic access check routine based on such dynamic 
data (i.e., the restricted SID) and policy is invoked (fig. 6, step 100; fig. 7, 
step 708). 
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Applicant argues that Swift further fails to teach that the dynamic data 
is used to enable the application to assign temporary group membership, 
based on dynamic factors, to a client for the purpose of checking access 
rights as claimed in claim 26. Swift discloses that, at run time, a restricted 
access token having temporary group membership is created using the type 
of application used by the user to access a resource (fig. 2, element 84; col. 
6, lines 4-28; col. 12, lines 46-67). The application type is run-time data 
(i.e., evaluated at run time) managed by the application (i.e., part of the 
application). 

Claim Objections 

4. Claims 1-4, 7-10, 12-14, 12-22 and 24-25 are objected to because of 
the following informalities: "a callback access control entry" (claim 1, line 
16; claims 12 and 22, last line) should be changed to "said callback access 
control entry". Appropriate correction is required. 

Claim Rejections - 35 USC §112 

5. The following is a quotation of the first paragraph of 35 U.S.C. 112: 

The specification shall contain a written description of the invention, and of the manner 
and process of making and using it, in such full, clear, concise, and exact terms as to 
enable any person skilled in the art to which it pertains, or with which it is most nearly 
connected, to make and use the same and shall set forth the best mode contemplated by 
. the inventor of carrying out his invention. 
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6. Claims 26-28 are rejected under 35 U.S.C. 112, first paragraph, as 
failing to comply with the written description requirement. The claim(s) 
contains subject matter which was not described in the specification in such 
a way as to reasonably convey to one skilled in the relevant art that the 
inventor(s), at the time the application was filed, had possession of the 
claimed invention. Claim 26 recites the limitation "wherein said dynamic 
groups element and a dynamic access element utilize dynamic data that 
includes authorization policy data stored in a callback access control 
entry and/or run-time data managed by the application." (lines 8-9). The 
originally filed specification does not disclose that Dynamic Groups utilize 
data in a callback access control entry. Therefore, the limitation is 
considered new matter. Claims that are not specifically addressed are 
rejected by virtue of their dependency. 

7. Claims 33-34 are rejected under 35 U.S.C. 112, first paragraph, as 
failing to comply with the written description requirement. The claim(s) 
contains subject matter which was not described in the specification in such 
a way as to reasonably convey to one skilled in the relevant art that the 
inventor(s), at the time the application was filed, had possession of the 
claimed invention. Claim 33 recites the limitation "automatically invoking a 
dynamic access check callback function by access check application 
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programming interfaces that initialize a client authorization context from a 
system level authorization context or a user's security identifier, whereby 
when a user attempts to connect to the application, the registered dynamic 
access check callback function is invoked such that the client context is 
augmented with client contextual data dynamically computed using said 
dynamic data." The originally filed specification does not disclose 
using/invoking a dynamic access check callback function to (i) initialize a 
client authorization context from a system level authorization context or a 
user's security identifier, or (ii) augment the client context with client 
contextual data dynamically computed using said dynamic data. Therefore, 
the limitation is considered new matter. Claims that are not specifically 
addressed are rejected by virtue of their dependency. 

8. The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and 
distinctly claiming the subject matter which the applicant regards as his invention. 

9. Claims 1-4, 7-10, 12-14, 18-22 and 24-25 are rejected under 35 
U.S.C. 112, second paragraph, as being incomplete for omitting essential 
steps, such omission amounting to a gap between the steps. See MPEP 
§ 2172.01. 
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■ Regarding claim 1, the omitted steps are: initializing/computing client 
authorization context (fig. 5A, step 520); updating said authorization context 
according to said determining (fig. 5A, step 540); comparing the client 
authorization context of the client to at least one access control entry of an 
access control list (fig. 5A, step 550). 

■ Regarding claim 12, the omitted steps are: comparing the client 
authorization context of the client to at least one access control entry of an 
access control list (fig. 5A, step 550); identifying an access control entry as 
a callback access control entry (Specification, page 12, lines 6-11). 

■ Regarding claim 22, the omitted steps are: initializing/computing client 
authorization context (fig. 5A, step 520); determining, via an application 
programming interface, based upon dynamic data and first dynamic policy 
whether a client authorization context is to be updated, wherein said first 
dynamic policy is tailored to an application through which the resource is 
accessed (fig. 5A, step 530); updating said authorization context according 
to said determining (fig. 5A, step 540). 

Claims that are not specifically addressed are rejected by virtue of 
their dependency. 

10. Claims 1-4, 7-10, 12-14 and 18-21 are rejected under 35 U.S.C. 112, 
second paragraph, as being indefinite for failing to particularly point out and 
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distinctly claim the subject matter which applicant regards as the invention. 
Regarding claim 1, it recites "said dynamic data" (lines 15-16); however, 
there are two instances of "dynamic data" (line 4 and 14). It's not clear 
which instance of "dynamic data" is referred to. Claim 12 is rejected on the 
same basis as claim 1. Claims that are not specifically addressed are 
rejected by virtue of their dependency. 



Claim Rejections - 35 USC §102 

11. The following is a quotation of the appropriate paragraphs of 35 
U.S.C. 102 that form the basis for the rejections under this section made in 
this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 
122(b), by another filed in the United States before the invention by the applicant for 
patent or (2) a patent granted on an application for patent by another filed in the United 
States before the invention by the applicant for patent, except that an international 
application filed under the treaty defined in section 351(a) shall have the effects for 
purposes of this subsection of an application filed in the United States only if the 
international application designated the United States and was published under Article 
21(2) of such treaty in the English language. 

12. Claims 1-4, 7-10, 12-14, 18-22 and 24-28 are rejected under 35 
U.S.C. 102(e) as being anticipated by Swift (6,308,274). 

The applied reference has a common assignee with the instant 
application. Based upon the earlier effective U.S. filing date of the 



reference, it constitutes prior art under 35 U.S.C. 102(e). This rejection 
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under 35 U.S.C. 102(e) might be overcome either by a showing under 37 
CFR 1.132 that any invention disclosed but not claimed in the reference was 
derived from the inventor of this application and is thus not the invention 
"by another," or by an appropriate showing under 37 CFR 1.131. 

Regarding claims 1, 3-4, 10, 12-14, 22 and 24, Swift discloses a 
method for dynamically managing access to a resource in a computer 
system having a client making a request for the resource, the method 
comprising: 

computing a client authorization context after the request for the 
resource is received from the client (col. 4, lines 46-55); 

determining, via an application programming interface, based 
upon dynamic data and first dynamic policy whether the client authorization 
context is to be updated, wherein said first dynamic policy is tailored to an 
application through which the resource is accessed (col. 6, line 5 - col. 7, 
line 35); 

updating the client authorization context according to said 
determination (col. 6, line 5 - col. 7, line 35); 

comparing the client authorization context to at least one access 
control entry of an access control list (col. 7, lines 51-61); 

identifying an access control entry as a callback access control 
entry, i.e., an access control entry of type allow (col. 5, lines 2-11); and 
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in response to identifying the access control entry as a callback 
access control entry and a match between an identifier in the client 
authorization context and an identifier in the callback access control entry, 
automatically invoking, via said application programming interface, an 
application-defined dynamic access check routine that performs based upon 
dynamic data and second dynamic policy in the callback access control entry 
for the application, wherein said second dynamic policy is tailored to said 
application and said dynamic data includes run-time data managed by the 
application, i.e., the restricted SID (fig. 9; col. 7, lines 51-61; col. 11, lines 
21-65; col. 12, line 60 - col. 13, line 15). 

Regarding claim 2, Swift further discloses that the first dynamic policy 
defines flexible rules for determining the client authorization context (col. 6, 
lines 5-27; col. 12, lines 16-45) and wherein said second dynamic policy 
defines flexible rules for purposes of determining access privileges (col. 7, 
lines 51-61; col. 11, lines 21-65). 

Regarding claims 7 and 18, Swift further discloses registering with the 
operating system, which is the resource manager of the computer system, 
an application-defined routine for determining dynamic groups (col. 6, lines 
38-47; col. 12, lines 36-67). 

Regarding claims 8 and 19, Swift further discloses an application- 
defined routine for determining dynamic access checks is performed by the 
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security mechanism in the kernel (col. 11, lines 10-20). Inherently, the 
routine is registered with the operating system, which is the resource 
manager of the computer system. 

Regarding claims 9, 21 and 25, Swift further discloses that the 
application-defined dynamic access check routine supplements a 
determination of access rights based upon static data and policy (col. 11, 
lines 38-56). 

Regarding claim 20, Swift further discloses comparing data to a client 
authorization context determined based upon static data and policy before 
determining whether the client authorization context is to be updated (col. 7, 
lines 5-22; col. 8, lines 8-17). 

Regarding claim 26, Swift discloses for an application in a computer 
system having a resource manager that manages and controls access to a 
resource, carrying out a dynamic authorization callback mechanism that 
provides extensible support for application-defined business rules via a set of 
APIs and DACLS including a dynamic groups element, which enables an 
application to assign temporary group membership, based on dynamic 
factors, to a client for the purpose of checking access rights, wherein said 
dynamic groups element and a dynamic access element utilize dynamic data 
that includes run-time data managed by the application (col. 5, lines 2-28; 
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col. 6, lines 15-27; col. 7, lines 5-22; col. 8, lines 30-60; col. 11, lines 10- 
56; col. 12, line 60 - col. 13, line 15). 

Regarding claim 27, Swift further discloses a dynamic access check 
element, which enables an application to perform dynamic access checks, 
via DACLS and APIs, said dynamic access checks being customized to the 
application (col. 13, lines 20-56). 

Regarding claim 28, Swift further discloses that the dynamic groups 
element and a dynamic access element are performed at the operating 
system level (col. 13, lines 20-56). Inherently the elements are registered 
with the operating system which is the resource manager of the computer 
system. 

Allowable Subject Matter 

13. Subject to the above 112, 1st paragraph rejections, claims 33-34 
would be allowable over the prior art of record. 

14. The following is a statement of reasons for the indication of allowable 
subject matter. Regarding claim 33, the limitation "the application using an 
initialization routine to register with a resource manager dynamic groups 
function that enable the application to assign temporary group membership 
based upon transient or changing factors to a client for the purpose of 
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checking access rights and to register with said resource manager dynamic 
access check callback functions that enable the application to perform 
customized procedures for checking access rights based on said transient or 
changing factors" in combination with "automatically invoking a dynamic 
access check callback function by access check application programming 
interfaces that initialize a client authorization context from a system level 
authorization context or a user's security identifier, whereby when a user 
attempts to connect to the application, the registered dynamic access check 
callback function is invoked such that the client context is augmented with 
client contextual data dynamically computed using said dynamic data" have 
not been taught by prior art. The closest prior art, Swift (6,308,274), 
discloses initializing a client authorization context from a system level 
authorization context or a user's security identifier and augmenting the 
client authorization context with client contextual data dynamically 
computed; however, Swift does not disclose performing those tasks by 
invoking a registered dynamic access check callback function. 

Conclusion 

15. The prior art made of record and not relied upon is considered 
pertinent to applicant's disclosure. 

U.S. Patent No. 7,216,345 to Porter 
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Any inquiry concerning this communication or earlier communications 
from the examiner should be directed to Minh Dinh whose telephone number 
is 571-272-3802. The examiner can normally be reached on Mon-Fri: 
10:00am-6:30pm. 

If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, Gilberto Barron can be reached on 571-272-3799. 
The fax phone number for the organization where this application or 
proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained 
from the Patent Application Information Retrieval (PAIR) system. Status 
information for published applications may be obtained from either Private 
PAIR or Public PAIR. Status information for unpublished applications is 
available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on 
access to the Private PAIR system, contact the Electronic Business Center 
(EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272- 
1000. 
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